summaryrefslogtreecommitdiffstats
path: root/php-cve-2023-0662.patch
blob: 89b8b1b87c2386daa901fcab57f636ce460f0063 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
From cfc945efd1ad92d7c118ddf4e021f0a2e25969d4 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:11:18 +0000
Subject: [PATCH 5/8] Fix repeated warning for file uploads limit exceeding

(cherry picked from commit 3a2fdef1ae38881110006616ee1f0534b082ca45)
---
 main/rfc1867.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index 1742b9c0a9..4aef7edb6e 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -932,7 +932,10 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 				skip_upload = 1;
 			} else if (upload_cnt <= 0) {
 				skip_upload = 1;
-				sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+				if (upload_cnt == 0) {
+					--upload_cnt;
+					sapi_module.sapi_error(E_WARNING, "Maximum number of allowable file uploads has been exceeded");
+				}
 			}
 
 			/* Return with an error if the posted data is garbled */
-- 
2.39.1

From d727c144435cb656f3636343a17c6bd48102ab95 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 19 Jan 2023 14:31:25 +0000
Subject: [PATCH 6/8] Introduce max_multipart_body_parts INI

This fixes GHSA-54hq-v5wp-fqgv DOS vulnerabality by limitting number of
parsed multipart body parts as currently all parts were always parsed.

(cherry picked from commit 8ec78d28d20c82c75c4747f44c52601cfdb22516)
---
 main/main.c    |  1 +
 main/rfc1867.c | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/main/main.c b/main/main.c
index 7deb3010d9..e7edc03530 100644
--- a/main/main.c
+++ b/main/main.c
@@ -627,6 +627,7 @@ PHP_INI_BEGIN()
 	PHP_INI_ENTRY("disable_functions",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("disable_classes",			"",			PHP_INI_SYSTEM,		NULL)
 	PHP_INI_ENTRY("max_file_uploads",			"20",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
+	PHP_INI_ENTRY("max_multipart_body_parts",	"-1",			PHP_INI_SYSTEM|PHP_INI_PERDIR,		NULL)
 
 	STD_PHP_INI_BOOLEAN("allow_url_fopen",		"1",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_fopen,		php_core_globals,		core_globals)
 	STD_PHP_INI_BOOLEAN("allow_url_include",	"0",		PHP_INI_SYSTEM,		OnUpdateBool,		allow_url_include,		php_core_globals,		core_globals)
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 4aef7edb6e..1eb81827f5 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -704,6 +704,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 	void *event_extra_data = NULL;
 	unsigned int llen = 0;
 	int upload_cnt = INI_INT("max_file_uploads");
+	int body_parts_cnt = INI_INT("max_multipart_body_parts");
 	const zend_encoding *internal_encoding = zend_multibyte_get_internal_encoding();
 	php_rfc1867_getword_t getword;
 	php_rfc1867_getword_conf_t getword_conf;
@@ -725,6 +726,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 		return;
 	}
 
+	if (body_parts_cnt < 0) {
+		body_parts_cnt = PG(max_input_vars) + upload_cnt;
+	}
+	int body_parts_limit = body_parts_cnt;
+
 	/* Get the boundary */
 	boundary = strstr(content_type_dup, "boundary");
 	if (!boundary) {
@@ -809,6 +815,11 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 			char *pair = NULL;
 			int end = 0;
 
+			if (--body_parts_cnt < 0) {
+				php_error_docref(NULL, E_WARNING, "Multipart body parts limit exceeded %d. To increase the limit change max_multipart_body_parts in php.ini.", body_parts_limit);
+				goto fileupload_done;
+			}
+
 			while (isspace(*cd)) {
 				++cd;
 			}
-- 
2.39.1

From 953b15210854fcf6f7e97d965a3e26463d91a29f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 09:14:47 +0100
Subject: [PATCH 7/8] NEWS

(cherry picked from commit 472db3ee3a00ac00d36019eee0b3b7362334481c)
---
 NEWS | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/NEWS b/NEWS
index bc9083d3e8..7d1786eeb2 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ Backported from 8.0.28
   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
     (CVE-2023-0568). (Niels Dossche)
 
+- FPM:
+  . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
+    request body). (CVE-2023-0662) (Jakub Zelenka)
+
 Backported from 8.0.27
 
 - PDO/SQLite:
-- 
2.39.1

From 979ef0c000baf908d8fd5123d18a345fc5b21be1 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 14 Feb 2023 11:47:22 +0100
Subject: [PATCH 8/8] fix NEWS, not FPM specific

(cherry picked from commit c04f310440a906fc4ca885f4ecf6e3e4cd36edc7)
---
 NEWS | 2 --
 1 file changed, 2 deletions(-)

diff --git a/NEWS b/NEWS
index 7d1786eeb2..a2d95193c4 100644
--- a/NEWS
+++ b/NEWS
@@ -8,8 +8,6 @@ Backported from 8.0.28
     (CVE-2023-0567). (Tim Düsterhus)
   . Fixed bug #81746 (1-byte array overrun in common path resolve code).
     (CVE-2023-0568). (Niels Dossche)
-
-- FPM:
   . Fixed bug GHSA-54hq-v5wp-fqgv (DOS vulnerability when parsing multipart
     request body). (CVE-2023-0662) (Jakub Zelenka)
 
-- 
2.39.1